There seems to be a bug in mail/py-spf-engine that breaks mail delivery if the 
pkg-message instructions are followed and

  smtpd_recipient_restrictions =
            ...
            reject_unauth_destination
            check_policy_service unix:private/policyd-spf

is added to main.cf.  I get the following errors with the check_policy_service 
unix:private/policyd-spf enabled.

pyspf-milter[9915]: prepend Authentication-Resultmailservuki; spf=pass (sender SPF 
authorized) smtp.mailfrom=gmail.com (client-ip=209.85.214.181; 
helo=mail-pl1-f181.google.com;envelope-from=db...@gmail.com; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from 
private/policyd-spf
postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1
postfix/smtp-in/smtpd[38681]: warning: missing attribute action in input from 
private/policyd-spf
postfix/smtp-in/smtpd[38681]: warning: problem talking to server 
private/policyd-spf: Application error
postfix/smtp-in/smtpd[38681]: NOQUEUE: reject: RCPT from mail-pl1-f181.google.com[209.85.214.181]: 451 
4.3.5<b...@domain.com>: Recipient address rejected: Server configuration problem; 
from=<db...@gmail.com> to=<b...@domain.com> proto=ESMTP 
helo=<mail-pl1-f181.google.com>
postfix/spawn[38795]: warning: command /usr/local/bin/policyd-spf exit status 1

If I comment out the policyd-spf smtpd_recipient_restriction, then mail is 
delivered properly without it.  If I patch the file /usr/local/bin/spf.py-3.11 
as follows:

import struct  # for pack() and unpack()
import time    # for time()
++ import os
++ os.environ['CRYPTOGRAPHY_OPENSSL_NO_LEGACY'] = '1'
try:
    import urllib.parse as urllibparse # for quote()

and re-enable the smtpd_recipient_restriction, the error is resolved and mail 
is delivered.

pyspf-milter[50096]: prepend Authentication-Resultmailservuki; none (SPF check N/A 
for local connections - client-ip=10.3.0.133; 
helo=server.domain.com;envelope-from=ser...@domain.com; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[612]: 5925D8793: client=server.domain.com[10.3.0.133]
postfix/cleanup[622]: 5925D8793: message-id=<>
pyspf-milter[50096]: Authentication-Resultmailservuki; none (SPF check N/A for local 
connections - client-ip=10.3.0.133; 
helo=server.domain.com;envelope-from=ser...@domain.com; receiver=<UNKNOWN>)
postfix/smtp-in/smtpd[612]: disconnect from server.domain.com[10.3.0.133] 
ehlo=1 mail=1 rcpt=1 data=1 quit=1 commands=5
postfix/qmgr[99347]: 5925D8793: from=<ser...@domain.com>, size=694, nrcpt=1 
(queue active)
postfix/pipe[637]: 5925D8793: to=<b...@domain.com>, relay=dovecot, delay=0.09, 
delays=0.05/0/0/0.04, dsn=2.0.0, status=sent (delivered via dovecot service)
postfix/qmgr[99347]: 5925D8793: removed

It seems like this might be a useful patch to the port, it isn't clear this 
impacts other operating systems or even all configurations of FreeBSD, but it 
has been necessary for me for both FreeBSD 13 and a fresh reinstall with 
FreeBSD 14.1.

https://answers.launchpad.net/spf-engine/+question/818909

https://forums.freebsd.org/threads/pyspf-milter-service-silently-not-starting.95215/#post-674665

Reply via email to